The customer was receiving an abundance of Invalid Session Authentication Failed (SIM User Authentication) failures.
A lot of Invalid Session Authentication Failed events from SIM Audit-2 would be seen in Log Activity
These messages are related to browser trying to access an expired session token.
Diagnosing The Problem
Look in the /var/log/audit/audit.log file to see if you can determine which IP it's coming from.
Resolving The Problem
Restart tomcat by running the following command on the console command prompt:
service tomcat restart
Alternatively from the QRadar web user interface, Click Admin Tab > Advanced > Restart Web Server
Where do you find more information?
Was this topic helpful?
16 June 2018